Search

Subscribe

Security Vulnerabilities in Smart Contracts

Abstract: Smart contracts -- stateful executable objects hosted on blockchains like Ethereum -- carry billions of dollars worth of coins and cannot be updated once deployed. We present a new systematic characterization of a class of trace vulnerabilities, which result from analyzing multiple invocations of a contract over its lifetime. We focus attention on three example properties of such trace vulnerabilities: finding contracts that either lock funds indefinitely, leak them carelessly to arbitrary users, or can be killed by anyone. We implemented MAIAN, the first tool for precisely specifying and reasoning about trace properties, which employs inter-procedural symbolic analysis and concrete validator for exhibiting real exploits. Our analysis of nearly one million contracts flags 34,200 (2,365 distinct) contracts vulnerable, in 10 seconds per contract. On a subset of 3,759 contracts which we sampled for concrete validation and manual analysis, we reproduce real exploits at a true positive rate of 89%, yielding exploits for 3,686 contracts. Our tool finds exploits for the infamous Parity bug that indirectly locked 200 million dollars worth in Ether, which previous analyses failed to capture.

I'll echo echo's comment above. The abstract seems to be hovering at the boundary of what you can call English, but this sentence's meaning completely escapes me:

We implemented MAIAN, the first tool for precisely specifying and reasoning about trace properties, which employs inter-procedural symbolic analysis and concrete validator for exhibiting real exploits.

Interesting, for crypto-currency beginers (crypto-currency name being sometimes unrelated to crypto for bitcoin where it is sha256(sha256(random)), but newer such "currencies" are more crypto-like): the realisation of the smart contract is what trigger the payment of some funds hold by the blockchain "escrow".

If the "smart contract" is the reception of some parcel by post, then if one can kill the smart contract one can have his cryptocurrency back (after receiving the parcel)...

We still need a spare Bruce to analyse (and maybe destroy) the zero-knowledge proof used by some crypto-currencies: proof that no money has been created, only money exchanged, on a transaction in the blockchain - while not knowing the buyer, the seller, nor the amount exchanged... For Bitcoin everything is in the open and "big data engines" can find each participant on each transactions and how rich they are - which at least bother shop sellers.

It's both, though more academic-paper-ese than marketing. What it boils down to is that they're doing code analysis to find bugs. Due to the way "smart contracts" work, they can then be exploited to have a direct consequence rather than you having to deploy a separate payload.

But that also seems to be a dual-edged sword, limiting the exploit to what the contract specifies. The real killing blow would be if someone worked up ways to inject new "clauses" into the contracts, so that arbitrary code could be executed.

"[T]his was actually not a flaw or exploit in the DAO contract itself: technically the EVM was operating as intended, but Solidity was introducing security flaws into contracts that were not only missed by the community, but missed by the designers of the language themselves."

"We built a tool which quickly finds candidates of exploitable contracts on specifically the Ethereum blockchain. We are looking for three types of buggy contracts; ones that can accidentally lock up funds forever, ones that can leak funds to an arbitrary person, and ones where an arbitrary user can push the self destruct button."

"but this whole exercise is about finding things that shouldn't happen but actually can and do."

Fair point, I meant in what's "allowed" or expected to happen. The contract code is static in the chain and can't be changed without rewriting the entire thing, which is just what they did the last time millions were stolen from Ethereum, causing it to fork into E and E-classic. (If I'm repeating myself... tell me to go garden at night or something)

You're exactly on point with your last line, that's exactly what the main folks who argued for the post-DAO forking argued and why they purportedly did, and that's why Eth-classic exists now. The main company continued on as "Ethereum" and the people who didn't want to accept rewriting the chain became "classic" to preserve the ledger "en principle" according to their argument. & *They did however have a side-pot motive of not paying back the stolen DAO millions, whether or not that was anything relevant I have no idea.

It's also relatedly interesting that the overall "organization" does not require ID-authenticated users even in high-up decision roles (which are determined by 'anonymous' ownership %'s AFAIK) and as such "nobody knows" who some of these major players in the platform are beyond monicker. That struck me as.. interesting. Maybe that's how they all work, I hadn't bothered to look because I'm not a big gambler. :)

It has taken around three thousand years to knock the bugs out of "legal contracts" but they still end up in court to get arbitrated. I gather that this blockchain system has no way to alow arbitration... This does not bode well for this systems future.

Secondly is the basic problem of logics as formalised by Kurt Gödel in the early 1930's. For his two incompleatness arguments Gödel used Cantor number diagonals (as Turing did later) to demonstrate two things,

1, No consistent system of axioms whose theorems can be listed by an effective procedure is capable of proving all truths about the arithmetic of the natural numbers.

That is, for any such consistent system, there will always be statements about the natural numbers that are true, but that are unprovable within the system.

2, No consistent system of axioms whose theotems can be listed by an effective procedure can demonstrate its own consistency.

That is, for any such consistent system it can not describe its self in its entirety.

But that's a little abstract, what it is saying for our purposes is that no system of logic that is of real world use can show it is consistant. Which from a security perspective means that a contract based on logic can not show it is secure. Whilst you can not just flip it and say that means it's insecure, it does mean you either can not show it is secure or you need to find another logic system to show it is secure. But the use of another logic suffers from "the turtles all the way down" problem.

So what we end up with is,

A contract system that can not be shown to be secure that has no arbitration system if a security fault is excercised.

Does this realy sound like a good idea?

Would you put your life savings, childrens college funds, pension scheme and all property titles into it?

Well I personally would not even put spare pocket change into it.

Because something tells me that at some point somebody will go through legal arbitration and a judgment will be made against the system at which point it may nolonger be viable...

The law it's self recognises that no contract shall be exempt from arbitration, it's why the likes of End User Licences have very weird clauses about arbitration being held in some out of the way place etc, to try to achieve the same effect as not alowing arbitration.

@MrC: Could someone kindly explain to me why I'd ever want a "smart contract" in the first place? What's the use case for these?

Tentative:
I want to buy a smart phone from someone I do not know nor really trust in China. I would like this mobile phone to work (be useable) for at least a year.
The smart phone will obviously be connected to Internet, so can report if it is being used and is working properly.

So I would pay for this smart phone 50% of the price at reception (confirmed by post receipt), then 10% every 2 months (escrow hold in the block chain) if the smart phone publishes that it is working properly every 2 months.
I'll also pay an extra 25% if I get a working software update after 1 year.
If the phone breaks down "the blockchain" will stop any payment and I will have available my escrowed money. Mostly both sides should be trying to get most of the smart contract running well.

Is it better than the current system of warranty when you buy physical goods in a real shop? Most of these "1 year warranties" are provided at a great price by the real shop, because he himself cannot repair or send back the stuff to the company which has disappeared/changed address in China anyway.

That is what I understand of smart contract.

Now there are other/newer crypto-currencies with different objectives, like linking a wallet to a passport in a real country, and doing a standard bank loan with such smart contract, with public reputation updates - I do not really know about those crypto-currencies.

> Because something tells me that at some point somebody will go through legal arbitration and a judgment will be made against the system at which point it may nolonger be viable...

I'd also be interested in your speculation about how historic contract details cryptographically locked into public immutability might subsequently interact with the EU ruling on the Right To Be Forgotten. My guess is "not well".

"It has taken around three thousand years to knock the bugs out of "legal contracts" but they still end up in court to get arbitrated."

I think the idea of algorithmic "Smart Contracts" originated in a particular USA specific legal delusion. There is a long standing myth in the US legal field that it should be possible to remove the role of human interpretation in arbitrating law. It is beautifully described, and mocked, in the 1996 bestseller: The Death of Common Sense: How Law Is Suffocating America by Philip Howard.

The summary is, it cannot be done. The mess that is USA "justice" is a perfect illustration of how this ends. I see the same mess coming to all "smart contracts".

Would you put your life savings, childrens college funds, pension scheme and all property titles into it?

Considering how one-sided all the alternatives are, many people would. As you note, all systems have very fundamental flaws that simply cannot be resolved by our current understanding of natural laws. The best we can do is put in place a system of checks and balances between different systems that have differing flaws. So, no, putting absolutely everything into cryptocurrencies is not a smart move, but many more people have already lost their life saving in the boom-and-bust cycles of the established financial markets. Ethereum exploits aren't good news, but at least they're fair in how vulnerable they leave both parties.

@Impossibly Stupid,
"...but many more people have already lost their life saving in the boom-and-bust cycles of the established financial markets...."

Indeed they have, and many more will do so in the near future. We should know by now that financial markets are created only to enrich their creators, by offering their marks 'something for nothing'.* The era of 6% returns on savings and pension funds is gone, possibly forever. The old saying among investors in the stock market was "Don't invest what you can't afford to lose." This is still true, and it applies to crypto-currencies and other block-chain products as well. Like any other fad, the -theory- of block-chain technology is attractive, but it's computer-based, which is, by definition, insecure.

As long as we have to rely on technology to fix technologies problems, we'll be stuck in an endless cyber-war loop.

@Winter,
'Smart Contracts' can be stupid and poorly written. Putting them on a blockchain is supposed to make them verifiable and immutable. That doesn't remove the possibility of legal action. It might streamline it a bit.

For most applications of contract law, there are 'templates' established to use as models. They include careful, unambiguous definitions of terms (and are guaranteed to induce brain-freeze in non-lawyers:). But because you can sue anyone for anything, you still end up with lawyers arguing with lawyers, and regular folk don't understand what's happening. God help a jury that has to deal with it.

We are a nation of idealists. Naturally we want laws that are beyond interpretation, that is, that have only one meaning. Now, we have legislation that has enough wiggle-room for a truck to drive through.

What I don't -ever- want to see is Ai 'courts' with Ai judges.

----------
* The old Mafia dons used to 'buy' police and local politicians. Their modern equivalents buy legislation to make everything legal again, and what regulations can't be changed are simply ignored or not prosecuted.
. .. . .. --- ....

Considering how one-sided all the alternatives are, many people would. As you note, all systems have very fundamental flaws that simply cannot be resolved by our current understanding of natural laws. The best we can do is put in place a system of checks and balances between different systems that have differing flaws. So, no, putting absolutely everything into cryptocurrencies is not a smart move, but many more people have already lost their life saving in the boom-and-bust cycles of the established financial markets. Ethereum exploits aren't good news, but at least they're fair in how vulnerable they leave both parties.

I'm not sure that being "fair in how vulnerable both parties are" is very comforting. The fact of the matter is, some people are honest and some aren't, and that kind of fairness only works if both parties are either honest or dishonest, not with an unmatched pair. It seems like the executable contract thing is kind of predicated on NOT having any "checks and balances", except the forking thing. And I'm not clear on how that really works. I'm betting if it depends on the fundamental honesty of everybody involved, the bottom line is "badly."

There's a reason modern computer systems no longer have a "crash" command...

I'm with Clive on this.
I recently had a roommate who was a developer for a hopeful ICO company who was doing something nebulous with smart contracts (I never saw any working code and frankly, kind of avoided knowing details...).

He was SURE that bitcoin could be "improved on" because all those distributed checks were making it slow to trade/speculate.

I mentioned that the slow part was its strength if any, and (I'm surprised I thought of it myself) that the immutability would eventually bring all such schemes to an end - like tulip speculation, and advised him to run while the running was good.

I pointed out the Schneier axiom that anyone can invent crypto they can't find the flaw in - but in the end, very little has turned out flawless (it could be argued that at best it buys some time...).

Of course he didn't know about this place and the last decade+ of careful thought here, mixed with some entertainment.

His company tried the ICO and he went to Europe to help promote it - he said they had at least some tens millions coming in.

He got trapped there with no money to get back to the US and I'm putting his stuff in storage....

Did I say "I'm with Clive?" - I'm not making this up! I hope he's OK - a nice guy, pretty smart, but there seems to be considerable mania around this whole topic.

To misquote Mark Twain "Rumours of my potential demise are greatly exaggerated", I am still around "fighting the good fight" but not with as much might as I once would have done. And of course I still have the entertainment of giving members of the medical proffession "splinters in their fingers" from scratching their heads.

Sadly though I've got to that time of life where you mark your longevity by the passing of old friends and people you have worked with over the years. The solution to which is of course, to associate more with people younger than myself so at some point they will have a way to mark their longevity.

That said my plan to live for ever is still working ;-)

How are things over in your patch of the world? More importantly how did it go with the 6KD6 Video Amp?

The last home brew monster I made like that was a pair of 4CX250Bs for a near DC-50meg linear. The advantage of the 250 is low grid to cathode cap that you can use as the terminating cap on a 50MHz LPF at around 150ohms, yes you need four times the drive but you can get that from IRF fets upto 120MHz or so with a bit of tweaking. With a a lot of care and a little over volting (2400) on the anodes oh and a following wind it was pushing more than the 2KW dummy load liked. The problem though was changing the grid bias voltage from standby (~120) to operating (~55) I ended up making it electronicly switched as the more modern relay contacts did not like it. It ended up with a "friend" that has the space for a large vertical Log periodic antenna[1] outside of the UK where they can get the benift of it.

[1] The antenna looks like half of one of those diamond TV antennas turned on it's and is on a 50ft mast. It's fine for transmitting but like all broadband antennas it's way to noisy for receive so they use hi-Q (~800) magnetic loops that are tuned with a vacuum cap to the required frequency. You'ld be supprised at just how much difference they make as signals that are impossible to see on the broadband antenna with a hi-spec high dynamic range receiver with a 100Hz bandwidth come in nicely quitend on the loop and make a nice eye-diagram on the data scope. The system works well to two of the Great Capes the Falklands and into the southern ocean, which is what it was designed to do (who needs satellites ;-)

@Winter @Albert What I don't ever want to see is AI "courts" with AI judges.The situation that you describe is a centralized model where politicians can override the math. Artificial Neural Networks and Support Vector Machines are immune to Gödel's Incompleteness. Another solution, perhaps:

Don't make the Smart Contract language overly broad; do make it deterministic (as opposed to ambiguous). It doesn't need the ambiguities of a humans' spoken language. Nor does it need to be able to prove/describe itself, which would mean making it "self-hosting," and that would be pointless,since we can write it in C, Java, etc.

In response to the article "Finding the Greedy, Prodigal and Suicidal Contracts at Scale" (linked from Mr.Schneier's post): In "Definition 3.3" the P, R and Q for prodigal contracts is hardcoded to"m[sender]." Will this miss all cases where an arbitrary ID can be passed as a value and the funds are sent there (e.g., to the sender's alternate account"?

Definition 3.4 (suicidal contracts" also seems hardcoded to only catch releasing funds to the sender directly. How can "m[sender]" catch an alternate account passed as an argument?

The definition of a greed contract seems to be any payable contract that never sends funds to "m{sender]." What if it sends funds to an ID passed as an argument?

Why does "Posthumous Contracts" (in section 5.1 Results) mention 853 dead contracts that have funds, with only 294 of these having received their funds after they died? Suicide releases all funds, and if some of them died from being out-of-gas, those had no funds when they died either, correct?

How can contracts have funds after death unless they are payed after they already died? Why are dead contracts even payable?